I’m having a problem where I get permission denied when attempting to run logstash within the container and accessing configurations provided via a host volume. But if I explicitly run the command within a shell it works fine.

2 Solutions collect form web for “How does docker run differ from running a command from a shell within the container”

As a first clue, I see in the logstash Dockerfile that its ENTRYPOINT is docker-entrypoint.sh

# Run as user "logstash" if the command is "logstash"
if [ "$1" = 'logstash' ]; then
set -- gosu logstash "$@"
fi

That would explain the difference between logstash and sh -c 'logstash...': the first parameter is no longer logstash.

So you need to make sure $PWD/logstash/config is, once mounted, accessible to user ‘logstash‘.

The OP Mark Caudill adds in the comments:

adding :Z modifier to the -v parameter sets the correct SELinux labels on the files and directories

logstash is running as root

chcon -R system_u:object_r:svirt_sandbox_file_t:s0 ./ on each directory being mounted as a host volume

These points allow the logstash process to access the host volume.

I don’t fully understand your questions but this should help …

RUN runs the specified command inside a container at DOCKER BUILD time. ENTRYPOINT runs the specified command inside a container at DOCKER RUN time.

When mounting a volume, the files inside the container that exist inside the image (at build time) will be overwritten. The files inside the container that were created at docker run time will be accessible in the mounted volume, and thus will be accessible both inside the container and from the host.